Hackers Say Trucking Industry Needs to Step Up Computer Security

_________________________________________________________________________
GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET

The trucking industry needs to take computer security more seriously if it hopes to prevent terrorists and others from using heavy-duty trucks and buses in attacks.

At the USENIX Workshop on Offensive Technologies in Austin, Texas, earlier this week, researchers Yelizaveta Burakova, Bill Hass and Leif Millar from the University of Michigan detailed how they used a laptop to hack into heavy vehicles to change gauge settings, brake operations and acceleration controls.

In a video, the research team members demonstrated how they caused a truck to accelerate by pressing on the space bar on the computer.

“These (trucking) companies need to start looking at computer security as a potential safety issue like they look at making sure air bags work properly,” Burakova said. “It all needs to go into the same level of priority.”

Burakova’s comments echoed the concern of a Justice Department official following the use of a heavy-duty truck in a terrorist attack in Nice, France, last month. Assistant U.S. Attorney General John Carlin told Trucks.com that the federal government was worried that an increasing array of autonomous driving features in trucks and cars could turn them into terrorist weapons.

The University of Michigan Transportation Research Institute team said ever-increasing technology makes new trucks easier to drive but also vulnerable to hacking. At the same time, older trucks lack security features that would prevent terrorists from turning the trucks into weapons.

Heavy equipment, including trucks, presents a unique threat because the vehicles are much larger than passenger cars and often transport hazardous cargo, Burakova said.

The researchers decided to look for hacking vulnerability in trucks after watching high-profile terrorist attacks unfold globally in recent months, the group said. They quickly learned that hacking a big rig is not hard. In their video, they showed how they could gain control of the gauges and accelerator using a laptop computer.

Their two target vehicles were a 2006 semi-trailer and a 2001 school bus. They declined to name the make and model of the vehicles.

The researchers accessed the controls by connecting their computer to the electronic diagnostic ports in the vehicles. They then tapped into the J1939 communication system, which is commonly used in big rigs and other heavy vehicles.

The team demonstrated two distinct types of attacks – a powertrain attack and an instrument cluster attack. While threats from a powertrain attack are more obvious, causing a truck to speed up or brake, an instrument cluster attack is less obvious but just as dangerous, they said.

Such a hack could trick a driver into believing the truck is operating normally when there’s a problem. A false readout could show normal brake function when, in fact, the brakes aren’t working. Or it could trigger the speedometer to display a false speed. Such incorrect readings would place the driver and public in serious danger.

“The cluster is heavily relied upon by vehicle operators,” Hass said. “Say there’s something wrong with their brakes, we can say, ‘No your brakes are fine.’ And the driver won’t know.”

Trucks, school buses, recreational vehicles, agriculture machinery, forestry and construction equipment, locomotives and even military vehicles all use similar standard communications systems, making them all susceptible to hackers.

While some automakers, including Tesla Motors and Fiat Chrysler Automobiles, have invited so-called friendly hackers to look for weaknesses in their systems, none of the major truck manufacturers have asked the Michigan team to find ways to close vulnerabilities, Hass said.

“We’d love to get our hands on new vehicles or other models or vehicles from other industries,” Hass said. “Our hypothesis is that it works across all the vehicles that have the standard equipment, and we’d love to test that.”

Millar said taking simple measures would likely prevent many people from trying to break into a truck’s controls. For example, the team was surprised to learn that it didn’t need a password to log into the computer system on their test truck and bus.

“If they just set up a password … and make sure the security is good around it, that would require the level of sophistication needed by the adversary to be much higher,” he said.

Others are worried about truck hacking risks.

The more connectivity a truck has, the more vulnerable it is to attack, Rod Schultz, vice president of product at San Francisco-based cybersecurity firm Rubicon Labs, said in an interview with Trucks.com earlier this year.

“We’ve found that when you create a platform of that data, it’s very difficult to predict the way that data is going to be exploited,” Schultz said. “The savvy attacker figures out where the vulnerability is in the system and how to attack it.”

It’s not all bad news for the trucking industry. For now, terrorists must have physical access to the vehicle to plug in and hack its system. No one yet has found a way to do so remotely. None of the researches would say there’s no way to do it – just that so far, nobody has broken into a truck’s computer remotely.

But that’s not to say someone isn’t working on a way to do it, they said.

Traditional truck companies know safety is a “huge part” of the industry, and producers put a lot of effort, time and money into keeping their products safe, Millar said. The problem, he said, is that the type of threat is different than it ever has been, as is the sophistication level of the would-be attackers.

“It seems like the vehicle industry was quite a bit behind traditional computers, and now it’s kind of catching up,” Millar said.

“What the trucking industry needs to do is start really listening and paying attention to security researchers and taking their advice,” Burakova said. “They shouldn’t see security researchers finding vulnerabilities as an attack on them personally, but just a way to get the conversation started and to get them talking about potential mitigation techniques.”